Azure users unable to log in when integrated with Data Center SSO 2.0
Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.
Summary
After integrating Data Center with Azure via the Data Center SSO 2.0 plugin, Azure users receive a generic "We can't log you in right now" error message when trying to log into Confluence.
Environment
- Azure Active Directory
- Data Center SSO 2.0 plugin
Diagnosis
For a given user encountering this situation while logging in, the following error appears in the application logs:
2021-12-22 19:01:27,386 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] logException [UUID: 79a91343-3bf8-4cfb-a562-022612ebe316] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
-- referer: https://login.microsoftonline.com/ | url: /plugins/servlet/samlconsumer | traceId: e905ee736246ea42 | userName: anonymous
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56)
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)
Investigate the SAML attributes being sent to Confluence by using a tool such as SAML Chrome Panel. Normally, the SAML reply will contain the following attribute along with a list of groups:
<Attribute Name=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"><AttributeValue>
Instead of this particular attribute, however, you note that the following attribute is present for the user:
<Attribute Name=\"http://schemas.microsoft.com/claims/groups.link\"><AttributeValue>
Cause
Based on Microsoft's SAML token claims reference, the groups.link attribute is a Group Overage Indicator indicating that the number of groups associated with the user exceeded a limit of 150. As a result, this scenario has been documented in SAMLDC-97: JIT does not work with Azure AD SSO for users with more than 150 groups.
Solution
As a possible workaround, consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]). Also, ensure that this group has appropriate global permissions within the Atlassian application.